[curves] Finalizing XEdDSA
Conrado P. L. GouvĂȘa
conradoplg at gmail.com
Wed May 22 11:13:16 PDT 2019
On Mon, Oct 31, 2016 at 7:12 PM Trevor Perrin <trevp at trevp.net> wrote:
>
> https://whispersystems.org/docs/specifications/xeddsa/
>
> Thanks for feedback everyone,
>
> I plan to make the following tweaks, then freeze the design (at least
> for 25519):
>
(...)
>
> (2) Replace hash_i(a || ... || Z) with hash_i(a || Z || pad || ...)
> for reasons here [2] - mainly a bit more sidechannel resistance, and
> slightly cleaner use of the hash.
>
Sorry for resurrecting this, but I've been studying this issue and I'm
wondering: is there any reason why this was not incorporated into the
specification? It still uses hash_i(a || ... || Z).
In this paper https://eprint.iacr.org/2017/985.pdf it is explicitly
mentioned that XEdDSA is vulnerable for this reason.
Best regards,
Conrado
More information about the Curves
mailing list